Three Lessons from the Equifax Data Breach

Every company is at risk, no matter how sophisticated.It might have been safe to assume that an entity as large and sophisticated as Equifax had top-notch security. Perhaps that was an erroneous assumption. But, almost every company possesses data about others (its customers, employees, business partners) that is valuable to a hacker. Small and mid-size companies should continue to do what they can to protect their data, but they should not assume the data is truly secure. Nor should companies assume its vendors or partners are secure. Dealing with the liabilities associated with breaches through contractual indemnification clauses takes on increased importance in today’s connected world.

Every company should plan for a breach. Given that all companies are at risk, they should prepare to act swiftly in the event of a breach. Equifax suffered additional public relations damage because it “waited” six weeks to notify the public. There are several possible legitimate reasons for a delay, including a request by law enforcement. Complying with the country’s patchwork of notification laws is not as straightforward as it should be. Every company should develop an action plan that addresses investigating the breach and providing notification as soon as practicable.

Credit monitoring is only somewhat helpful. Equifax offered a year of free credit monitoring for affected individuals and most people have come to expect that benefit in the event of a breach. The Equifax event shone a light on an on-going discussion about the usefulness of credit monitoring because it only provides alerts and does not actually prevent the wrongful use of one’s identity. A credit freeze, on the other hand, makes it more difficult for hackers to benefit from the stolen information. Of course, a credit freeze can be problematic for the person rightfully attempting to access credit, but that inconvenience probably pales in comparison to trying to undo fraudulent transactions. Because the information taken from Equifax has lasting value, credit monitoring for one year might not provide sufficient protection against identify theft. Companies may need to consider offering to pay for credit freezes, as opposed to credit monitoring, in the future.